Will Congress finally update a data privacy law that’s 31 years old?

Cross-border data flows have left governments around the world struggling to catch up. But the trend toward tighter restrictions on such flows, in addition to the possibility they will hinder global economic growth, is making it increasingly difficult for companies to comply with competing laws, to respect client data and information, and to conduct international business.

In the United States, the statutory framework for such rules was set down more than 30 years ago, with the now badly out-of-date Electronic Communications Privacy Act. Passed by Congress in 1986, this Reagan-era law extended Fourth Amendment privacy protections to information transmitted over the Internet. However, more than three decades of technological advancements have left ECPA’s protections woefully insufficient. The Senate currently is considering the ECPA Modernization Act, which proposes to address some of ECPA’s weaknesses by offering better clarity for law enforcement and stronger privacy protections for data transmitted within the United States.

While this update to ECPA is much needed and encouraging, even if it passes and is signed by President Trump, there would remain glaring deficiencies in the realm of international electronic communications. Data stored abroad, for instance, present particular challenges for U.S. law enforcement efforts. Companies caught in the middle can find themselves in the precarious position of having to violate other countries’ laws, and potentially users’ privacy expectations, to comply with U.S. data requests.

An ongoing legal case between Microsoft and the U.S. Justice Department highlights some of the significant problems. Beginning in 2014, the U.S. government ordered Microsoft to provide access to emails belonging to an Irish national suspected of drug trafficking that were physically stored on a server in Ireland. Microsoft argued the DOJ needed to request access from the Irish government and that Microsoft did not have legal authority to violate a foreign nation’s privacy laws. The U.S. government countered that Microsoft, being a U.S. company, needed to comply with U.S. law, regardless of the server’s physical location.

Overturning a district court’s ruling, the 2nd U.S. Circuit Court of Appeals ruled in Microsoft’s favor, finding that ECPA “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers.” DOJ recently filed a petition for a writ of certiorari, reserving the department’s right to appeal to the U.S. Supreme Court.

Given these pressing and plainly visible complications, it’s clear that we will need additional legislation to address these sorts of international legal questions, to prevent further confusion and damage to U.S. relationships with other governments. Such clarity also would grant law enforcement the ability to function effectively without trampling expected levels of privacy.

To address this problem directly and complement ECPA by filling the necessary gaps where the law falls short, Sens. Orrin Hatch, R-Utah, Dean Heller, R-Nev., and Chris Coons, D-Del., recently reintroduced S. 1671, the International Communications Privacy Act. Speaking about the law at a Senate Judiciary Committee Crime and Terrorism Subcommittee hearing in May, Hatch emphasized the need for a “a sensible regime with clear rules that determine access based on factors that actually matter to the person whose data is being sought.” The law should focus on questions relevant to a person’s rights, such as their nationality and location. Hatch added that “privacy laws are meant to protect people, not abstractions.” This suggests he recognizes the reality that the Internet is inherently borderless and thus incompatible with data-localization requirements.

ICPA would set clear guidelines for international data-privacy issues, absolving the courts from having to solve this multifaceted issue on a case-by-case basis.

Under its terms, after obtaining a warrant, U.S. law enforcement would have authority to obtain data belonging to U.S. citizens from U.S. companies, regardless of an individual server’s physical location. It would also allow law enforcement to seek data belonging to foreign citizens from those citizens’ national governments where permitted under existing agreements. Finally, the bill would provide necessary updates to streamline mutual legal assistance treaties (MLAT), agreements between nations that concern the exchange of evidence and information pertaining to criminal justice matters.

Digital technologies have created a borderless medium that enables communication, collaboration, and business among parties around the globe. To ensure law enforcement has the necessary tools to work within an international framework, while respecting privacy rights, Congress should pass ICPA and make long overdue updates to ECPA.